Networked tribes, system disruption and the emerging bazaar of violence. A blog about the future of conflict.

Monday, 14 April 2008

The history of the dominant technologies of 21st Century warfare won't spend much time on the complex and expensive systems developed by US defense contractors. Instead, the focus will be on the innovations that are derived from open tinkering networks of amateur inventors. The reasons for this include:

Higher levels novelty production. Diverse and open networks of amateur hackers, tinkerers, and inventors can pursue more paths of discovery and development simultaneously than large, expensive, and linear development efforts. The importance of this will increase as Moore's Law, which measures the level of computing power available to the average user, increasingly shifts to the vertical (remember, this is an exponential curve). See open decision making for more.

More platform leverage. Open development has access to all the global platform has to offer from services to systems to knowledge. In short, the more open and globally networked you are, the better you can take advantage of this leverage.

Faster adoption. The delta between development and widespread adoption of innovations that work will increasingly shrink due to widespread sharing. This is in contrast to the closed and tightly controlled process of deployment seen in traditional defense systems acquisition.

DIY ROCKETS

We can see an early example of this trend in weapons development with the IED (improvised explosive device) which has migrated from a tactical device to an operational (operational art is between tactics and strategy) weapon. Another weapon that may follow a similar path of development is the DIY (do it yourself) rocket. Although it is early days, the writing is on the wall. DIY rockets are inexpensive ($500 to $2000 currently). Easy to store and quick to launch (they require less set-up time than IEDs). In terms of effects, they convey the message (despite the current inaccuracy) that no place is safe for civilian supporters of a war effort. It can also be used to destroy economic activity in affected areas. For example, the Israeli town of Sderot, which has suffered an increasing number of DIY Rocket attacks over the last seven years:

About 4000 of the town's 23,500 people have moved out in the past two years, according to municipal figures. Many more say they would leave if they could... Home prices have fallen by 50 per cent... 20-30 per cent of businesses in Sderot and surrounding areas have shut down... Overall sales at the stores that remain open have dropped by nearly 50 per cent...

Given this example, it's clear that DIY Rockets can make wars with global guerrillas disastrous under the requirement (set by the highly competitive global marketplace) that these wars should be fought during peacetime. Further, if they combined with a defensive hedgehog, it forces conventional forces to make relatively ineffectual and harried strikes on fleeting targets, which creates the collateral damage so useful to an insurgency.

We can expect these DIY efforts to get steadily better as new amateur tech (tinkering networks) adds increasing levels of sophistication (from range to accuracy). Here's a great example of low cost design software from RocketSim. Basic avionics. Here's a nice system that adds telemetry and inertial/GPS measurement. As a capper, here's potentially a platform play in open source avionics for rockets. The last step, a control system connected to servo based vanes is all that is needed to enable it to hit specific buildings. That's hard, but well within the capabilities we see emerging in the tinkering space.

NOTE: Of course, I should point out (and was encouraged to do so by quite a few people), that a much simpler solution in the short term is to use small drones to do the same thing (essentially, a V1 solution). Further, this area is much farther along the development path, as you can see on Chris Anderson's DIYDrones site.

Friday, 03 February 2006

When the entire country of Georgia was cut off from natural gas supply for weeks through the destruction of two collocated pipelines (a couple of hours of work), the assumption of many in the West is that our more complex system would prevent that level of vulnerability. This is a bad assumption. While it is true that Western countries do maintain more of a reserve capacity (up to 45 days in LNG storage depots, although this depletes over the winter) than Georgia (1 day), the vulnerability of centralized routing still exists. Most US natural gas is transported via pipeline from the New Orleans area or Canada. The vulnerability of this "long supply line" can be seen in this example of open source research put together by John Young of Cryptome: Washington DC area natural gas system. Europe has similar vulnerabilities.

Tuesday, 15 November 2005

Christopher Abad, a research scientist at Cloudmark (a spam filtering company) has done some amazing analysis on the phishing marketplace. Phishing is a method of identity theft that uses fake e-mails and bogus websites to entice unwary consumers to disclose financial information (account details, credit card numbers, personal data). This data is captured and used in financial fraud. It is a big business. To deconstruct a phishing network Christopher used an automated data collection system that monitored chat rooms and activity on compromised servers. He found that the network consisted of loosely affiliated groups with lots of horizontal specialization rather than vertically integrated gangs. He proposed the following structure for the phishing micro-economy (see diagram for more detail):

Automated unregulated chat rooms. This network, often controlled by bots (code that automates activities and allows remote management), provides the basis for marketplace. It provides an efficient and secure method for discovering information and conducting transactions.

Specialists:Mass e-mailers. Those individuals that specialize in sending large volumes of e-mail (sometimes through worm enabled bot networks). These e-mails initiate contact with the consumer. Template providers. Design specialists in creating the look and feel of financial institution e-mails and websites. Server managers. Individuals that can compromise Web servers and operate them remotely without detection. These servers collect information from consumers.

Cashers. Buyers of financial information that can use it to generate bogus ATM cards and other financial frauds.

Global Guerrilla Economics
The 21st Century criminal economies like the phishing economy seen above demonstrate the same degree of decentralized self-organization we see in the market for IED (improvised explosive devices) manufacture/deployment in Iraq. Both markets aren't controlled by any single gang, or even a collection of gangs. Instead, they consist a large network of individuals (and or small groups) that trade, sell, share, and collaborate to make money and generate desired effects. Additionally, both networks exhibit strikingly high levels of:

Efficiency. The costs for component services are low and very competitive. Financial information can cost as little as $0.50 a record. Emplacement of an IED can cost $50.

Innovation. New methods of attack and new target sets are constantly being discovered. Both groups rapidly leverage open Internet information to refine their target set. For example: In the case of phishing, the security community's chatter provides insight into corporate vulnerabilities and exploits. Iraqi guerrillas use Google maps to plot ambushes and IED emplacement.

Resiliency. Able to resist discovery and network-wide collapse. One major factor in their resilience is their ability to transcend national boundaries and leverage a lack of local organic control (street level enforcement).

What This Means
The arrival of these "black" networks have the following ramifications:

Network wars. These networks are not a single entitiy. They can go to war. For example: Russian bot farmers recently attacked (denial of service) Chechen web sites in retaliation for terrorist activity against Russian targets.

Generic networks. Skill sets from one network type can transfer to the other. The same technologies and techniques used for phishing and other criminal networks can be used to improve the efficiency of terrorist networks and provide a means of self funding. Generic networks that combine criminal enterprise and terrorist/guerrilla activity are growing. We see this in Iraq today with the fluid market for hostages.

Rapid Growth. As global connectivity increases, the Gap increases faster than the Core (or non-state vs. state). A growth of a global community of virtual TAZs (temporary autonomous zones) will use technology to rapidly expand gaps generated transnational barriers to coordination and areas of local chaos. The lowest common denominator applies and these autonomous areas can be rapidly exported globally, including to those areas currently under state control.

Thursday, 27 October 2005

The attack on the Palestine hotel in Iraq was more than just an example of how fear management can improve the effects of a terrorist bombing. It was also a very important example of how the open-source insurgency has surmounted the limitations of decentralized management to mount large attacks.

Wednesday, 03 August 2005

This is a horrible story to start the day with: Fourteen marines were killed early today when their troop carrier struck a gigantic roadside bomb in the western town of Haditha, marking one of the single deadliest attacks on American troops since the invasion here in March 2003.

To get a sense of the decentralized, commercial process of the Iraq's open source bazaar, let's take a look at the IED industry in Iraq. Here's a ground breaking article from the current Defense News based on American intelligence:

Thursday, 07 July 2005

Al Qaeda ("The Secret Organization of Al Qaeda in Europe" -- via their Web site that has been shut down) has purportedly claimed an attack on London's transportation system. 4 coordinated attacks -- 3 on the Underground subway's Circle line and 1 on a double decker bus -- has incapacitated the metropolis during the morning rush hour. The selection of the Circle line was likely due to its centrality to the Underground network (a postmortem network analysis will demonstrate the validity of this).

Tuesday, 21 June 2005

The US Air Force used stealth technology and precision guided munitions to paralyze the Iraqi state during the first Gulf war and for the first part of the second. The planning technique they used was called effects based operations (EBO) -- a method of warfare where the effects caused by the attack are more important than the level of destruction of the target.

Sunday, 12 June 2005

"Those skilled in war subdue the enemy's army without battle. They capture his cities without assaulting them and over-throw the state without protracted operations." Sun Tzu

The success of the allies during the first Gulf War was due to a new approach to the employment of airpower called Effects Based Operations (EBO). It was formulated to take advantage of the following:

Precision guided munitions (PGM). Bombs that can hit targets with an extremely high degree of accuracy. This minimized the number of aircraft and sorties needed to eliminate a target. It also allowed for minimal damage to the target site to accomplish set goals.

Stealth. A set of technologies that prevent the detection of aircraft. These technologies eliminated the need for force protection packages and extensive pre-attack preparation. Stealth was synergistic with precision guided munitions.

A modern target. Iraq, unlike most of the enemies we had fought since WW2, was a semi-modern nation-state. It had extensive networks that were vulnerable to disruption.

The emergence of EBO

It was apparent to airpower enthusiasts that this combination of factors allowed airpower to become a decisive instrument of conventional warfare -- it moved it beyond ground support and carpet bombing (of dubious value). Due to the influence of Boyd and emerging systems theory, they developed a method that went beyond the simple destruction of enemy forces to the systems approach that emphasized the effects these attacks would create (for a nice overview of EBO, read Brig Gen David Deptula's paper, "Effects-Based Operations"). These effects included:

Ubiquitous system disruption. Stealth and precision enabled parallel attacks against all systems virtually simultaneously. Systems leverage, available due to Iraq's modern urbanized infrastructure, created the opportunity for cascades of failure -- small attacks had system-wide impact. This also completely eliminated the need for the complete reduction of a target set. If the attack took the system down, only those minimal attacks necessary to maintain the condition were necessary.

Rapid psychological isolation. This worked in two ways. First to isolate the leadership elements of Saddam's government/military to force them into moral collapse. Secondly, to minimize the isolation of the US/allied governments due to the conflict -- speed was essential.

Unfortunately, warfare is a conflict of minds. The opposition learned from the experience of the first Gulf War. This amazing demonstration (who doesn't remember were they were the first night of the attack on Baghdad?) taught the value of systems disruption to both the Iraqi leadership (at ground zero) as well as the entire universe of potential foes. It certainly informed Iraq's strategy for the second Gulf War. Iraq purposely created forces to replicate the USAF's Effects Based Operations with small cells of guerrillas. This has in turn been taught (through a percolation of innovation in Iraq's Bazaar of violence) to other autonomous guerrilla groups. Here's how guerrillas conduct EBO:

Precision and stealth. Small groups of guerrillas are nearly impossible to detect and neutralize, particularly when they bypass military formations and hard targets to attack systems. Small, precisely aimed/timed attacks by these guerrillas against target systems can drive them into cascades of failure (for example: Iraq's northern oil fields have been nearly inoperative since the end of the conventional war, The attackers have suffered few casualties.).

Continuous state failure. Iraq's basic services are in a continual state of failure. The state's leadership is in deep isolation due to its inability to deliver political goods to the population.

An emergence of Primary Loyalties. A primary goal of Iraq's guerrillas is to fragment the country's loyalties -- ethnic, religious, tribal, etc. A hollow, non-functional state that is increasingly reliant on loyalist paramilitaries (Badr Brigades and Peshmerga) is precisely the desired outcome.

NOTE: I've applied the EBO method to a war with Iran (see the brief: Collapsing Iran).

Saturday, 02 April 2005

The defense of energy infrastructure against well orchestrated systems sabotage will continue to be ineffective. Even if plans for sensor grids, UAV (unmanned aerial vehicles) patrols, and dedicated guards are fully realized, it will likely prove insufficient to stop ongoing sabotage. These defensive systems are extremely vulnerable to feints (false attacks) and counter-measures. Additionally, the very essence of systems sabotage works against effective defense:

Maneuver. Small attacks that are both simple and fast. Prior warning is non-existent. Existing public transportation infrastructure enable rapid movement to target locations. See Swarming.

Indirection. Systems saboteurs will almost always select targets (in many cases there are tens of thousands of miles of vulnerable infrastructure) that are undefended.

Leverage. The network will extend the impact of attacks over great distances. Cascades of failure can rapidly disable primary infrastructures miles from the site of the attack. Prior network analysis can reveal the locations that will provide the maximum impact.

Rapid Repair

The only method demonstrated to work reliably over the last several years is rapid repair. This capability can contain the economic damage and societal dislocation caused by induced infrastructure failures to 20-30% of its potential. Unfortunately, global guerrillas are finding ways to trump this capability:

Tactics of Delay. Time of failure is key to maximizing damage for saboteurs. A day of delay can mean hundreds of millions in additional damage. Typical tactics that accomplish delays include anti-vehicle and anti-personnel mines (or remotely triggered IEDs) as well as assaults on the perimeter of an active repair site. Both of these methods typically result in extensive security delays.

Team attrition. Ongoing assaults on repair teams prior to an attack have been successful. The elimination of key personnel can radically slow repairs and impair team effectiveness. Team members are particularly vulnerable while in transit to and from work and at home. Assaults of this type have become commonplace in Iraq. Additionally, teams on deployment for ongoing maintenance efforts are often extremely vulnerable to attack.

Supply interdiction. Rapid repairs require specialized equipment (as the capability improves, the equipment used will likely become even more specialized). This equipment is usually stored in centralized storage depots that are vulnerable to assault. Assaults on this equipment have proven to be effective.

What This Means

The result of these innovations means that the quantity of damage that system saboteurs can accomplish will remain at unacceptable levels. At the strategic level, this will dictate that:

Iraqi oil exports will remain below prewar levels.

Saudi energy systems, with its emphasis on defensive and repair capabilities, will continue to be vulnerable to system saboteurs.

A shortage of supply will cause oil prices to climb to new heights in response to each future disruption effort.

Sunday, 19 December 2004

In Blitzkrieg warfare, the point of greatest emphasis is called a schwerpunkt. It is the point, often identified by lower level commanders, where the enemy line may be pierced by an explosive combination of multiple weapon systems. Once the line is pierced, armored forces dive deep into enemy territory to disrupt command, control, and logistics systems. Once these systems are disrupted, the top-heavy military units they support collapse in confusion.

In global guerrilla warfare (a combination of open source innovation, bazaartransactions, and low tech weapons), the point of greatest emphasis is called a systempunkt. It is the point point in a system (either an infrastructure or a market), always identified by autonomous groups within the bazaar, where a swarm of small insults will cause a cascade of collapse in the targeted system. Within infrastructure, this collapse takes the form of disrupted flows that result in immediate financial loss or ongoing supply shortages. Within a market, an attack on the systempunkt destabilizes the psychology of the market to induce severe inefficiencies and uncertainties. The ultimate objective of this activity, in aggregate, is the collapse of the target state and globalization.

Wednesday, 15 December 2004

There are strong signs that Chechen guerrillas have made the shift to become global guerrillas. Commanders such as Aslan Maskhadov and Shamil Basayev have expressed their intent to conduct acts of sabotage against Russian targets and guerrilla entrepreneurs such as the Dagestani, Rabbani Khalilov, have acted on this direction. The Chechen campaign against Russian infrastructure systems is off to a fast start. This year's assaults include:

February 18. Moscow. 2 gas pipelines were blown up with IEDs made from rocket propelled grenades.

March 15. A power transmission line was severed. A Chechen flag was found at the blast site.

April 5. Dagestan (southern Russia). The Russian gas export pipeline to Azerbaijan was interdicted for several days. Additionally, the Baku-Novorossiisk oil pipeline was damaged due to collocation vulnerability with the gas pipeline.

April 24. Volgograd. The Samara-Lisichansk long-distance pipeline was blown up.

May 24. Dagestan. The Mazdok-Gazimagomed gas pipeline was damaged.

June 5. Stavropol. The Baku-Novorossiisk oil pipeline reservoir was bombed.

July 5. Chechnya. The Mazdok-Gasimagomed pipeline was damaged again.

November 28. Moscow. A circular gas pipeline was severed.

December 8. Dagestan. The Russian gas export pipeline to Azerbaijan was blown up.

Russia at Risk

An ongoing Chechen global guerrilla campaign against Russian infrastructure will worsen as methods improve. The infrastructure's long distances, numerous choke points, lack of redundancies, and corrupt security combine to make it extremely vulnerable. As a result of this growing assault, the following will likely occur:

Russia's precarious financial and political situation will deteriorate. Its government is already rapidly consolidating power. This will damage its decision making capability by isolating it (Boyd). Financially, it is possible given the demonstration we see in Iraq, that Chechen guerrillas will be able to sustain a 20-40% (depending on the sophistication of the analysis) reduction in the transportation of oil, gas, and electricity in Russia. Financially, this could easily reach $100 billion a year (8% of GDP) and plunge the nation into a prolonged recession.

More turmoil in global energy markets. Russia is the world's second largest oil producer. A reduction of 2-3 million barrels a day in deliveries from Russia would equal the price shock of the loss of Iraq's production. Additionally, turmoil would reduce investment in the development of Russia's huge natural gas reserves -- which are critical for the emergence of a liquid natural gas (LNG) export market.

A second demonstration of the power of global guerrilla methods. The financial devastation of Russia will inevitably force the country to grant Chechnya the political independence it desires. If the leadership doesn't do this quickly enough (due to hubris), there is the potential that the entire country will fragment into ethno-religious-criminal mayhem on a scale we haven't seen before. Regardless, independence is likely inevitable. This will be the second major victory for global guerrillas (after Iraq) and will accelerate the adoption of these methods globally.

Note: Thanks to Jamestown for providing data that made this brief possible.

Wednesday, 17 November 2004

Iraq's insurgency is both growing and innovating quickly. A good way to understand this speed is to dive into how epidemics spread and cascade in social networks. In this first brief on this topic, I will look at how the innovation spreads through the global guerrilla network in Iraq -- the epidemic spread of information to individuals/groups that are highly susceptible (those that have already opted to join the insurgency). In the second brief, I will examine how the insurgency infects the general population -- is it an epidemic or not? As always, I am open to ideas on how to improve this analysis.

Epidemic Innovation

Iraq's insurgency has demonstrated that their decentralized process of innovation (open source warfare) can yield effective methods of system disruption. These innovations appear to be spreading quickly. A good way to understand why, is to treat this tactical innovation as an informational epidemic. The spread of an epidemic to susceptible individuals is determined by its reproduction rate (the ability to infect others). The equation for this is:

Tactical innovation travels quickly in Iraq's guerrilla network because the rate of reproduction is extremely high. The primary reason is that the "likelihood of contact" is large relative to the other factors due to the topology of its decentralized network structure. Three topological features of Iraq's insurgency feed this high "likelihood of contact" are:

Small cohesive cells. These small organizational units exhibit high degrees of structural cohesion (Menger's Theorom). Every member knows all the other members (this is different than the 9/11 operational network). Each cell is composed of family members, friends, and neighbors.

Small world properties (Milgram). Cross connections between members of the insurgency radically reduce the mean path length (the mean distance between any two members) of the network. Baath party membership, military experience, etc. provide these short-cuts. Further, a modern road network makes it easy to make physical connections.

Scale free properties (Barabasi). The guerrilla network in Iraq is likely scale free. Early entrants, such as the Fedayeen and al Qaeda are highly connected hubs. As the network grows, they become more central and powerful.

How this works

The spread of tactical innovation in Iraq's guerrilla network is a combination of the overt (direct communication via personal connections in the bazaar) and passive (stigmergic environmental signals). The process by which this works follows this pattern:

Innovation. Small groups (clusters) innovate within the open source model of guerrilla warfare we see in Iraq. They are independent and therefore able to make decisions based on their own decision making processes. Innovation is often incentivized by the reward of funding and other profit opportunities (as with any entrepreneurial activity).

Adoption. An innovation is widely dispersed when a network hub adopts it. Hubs are influenced through a combination of stigmergic and overt communication. If the innovation works, the hubs typically adopt the innovation.

Propagation. Hubs directly influence other groups through economic incentives in the bazaar (they have influence over sources of funding in their roles as violence capitalists). They also have a high number of overt connections to entrepreneurial guerrilla start-ups.

Breaking the Connections

One objective of counter-insurgency should be to lower the rate of reproduction of the epidemic. Effectiveness in this area would slow the aggregate decision making of the group (Boyd) and make it easier to beat. Here are some ideas (note: some of the ideas here are only valid given that it appears that the US has given up the moral war against the Sunni insurgency, and has opted for a military only approach that targets other psychological factors that impact decision loops):

Reduce the duration of the contact. Indirectly, this was an objective of the Fallujah operation. The collapse of the Fallujah TAZ hinders ongoing face-to-face high duration contact. Unfortunately, the requirements of this operation are so excessive in terms of effort and personnel, we are limited to a single TAZ at a time. A better method must be found given our limited resources. Additionally, the Fallujah TAZ was less important to the insurgency than the military assumes.

Eliminate connections by isolating cells (hubs in particular). Iraq's state of emergency is aimed at this. However, phone networks and Internet connections are still available in the region. One method would include reducing the insurgent areas to older means of communication. Another would be a strict limit the on physical movement between cities and towns.

Limit the duration of the infectiousness. This requires rapid adaptation on how we defend targets in Iraq. Early detection of an innovation against a class of targets, should be countered. This will require a real "strategic corporal" (not merely one that avoids moral mistakes through good judgment) and new ways of sharing innovation horizontally.

A general note on many of these tactics: they contribute to a moral loss. They also indirectly undermine the government's moral legitimacy by disconnecting the economy from globalization (which is a goal of global guerrillas).

Friday, 24 September 2004

Earlier analysis (see the "The Optimal Size of a Terrorist Network" for more) indicates that the disruption of al Qaeda network mega-hub in Afghanistan has put strict limits on the size of the surviving virtual network elements. This size limitation may represent a barrier to attacks on the US, but is likely well within the capabilities of what is necessary for limited regional attacks. However, newinnovations in group dynamics and the emergence of new unaffiliated guerrilla networks in Iraq may provide a method for regaining strategic capability.

The Bazaar
The decentralized, and seemingly chaotic guerrilla war in Iraq demonstrates a pattern that will likely serve as a model for next generation terrorists. This pattern shows a level of learning, activity, and success similar to what we see in the open source software community. I call this pattern the bazaar. The bazaar solves the problem: how do small, potentially antagonistic networks combine to conduct war? Lessons from Eric Raymond's "The Cathedral and the Bazaar" provides a starting point for further analysis. Here are the factors that apply (from the perspective of the guerrillas):

Release early and often. Try new forms of attacks against different types of targets early and often. Don’t wait for a perfect plan.

Given a large enough pool of co-developers, any difficult problem will be seen as obvious by someone, and solved. Eventually some participant of the bazaar will find a way to disrupt a particularly difficult target. All you need to do is copy the process they used.

Your co-developers (beta-testers) are your most valuable resource. The other guerrilla networks in the bazaar are your most valuable allies. They will innovate on your plans, swarm on weaknesses you identify, and protect you by creating system noise.

Recognize good ideas from your co-developers. Simple attacks that have immediate and far-reaching impact should be adopted.

Perfection is achieved when there is nothing left to take away (simplicity). The easier the attack is, the more easily it will be adopted. Complexity prevents swarming that both amplifies and protects.

Tools are often used in unexpected ways. An attack method can often find reuse in unexpected ways.

Scaling the Bazaar
The bazaar dynamic -- replete with stigmergic learning and entrepreneurial ventures -- is vibrant enough to keep Iraq in a state of chaos. Thestatistics speak for themselves. However, can the bazaar be exported to regional nations or strategic targets? Can it serve as a post Afghanistan (post al Qaeda) model for global guerrilla warfare? Yes. Here's why:

Leveraged attacks. As we see in Iraq, if appropriately planned, small attacks can have amazing impact. The reason behind this are the system dynamics that amplify results. ROIs (returns on investment) in excess of one million fold have been measured in Iraq. This means that smaller groups can have tremendous impact at the strategic level if they adopt the Iraqi method.

Swarms vs. single group activity. The bazaar offers the potential of many smaller attacks that can in aggregate have an impact equal to several large attacks. Many hands make light work. Combined with system leverage, this could reduce a nation to economic chaos in short order.

Rapid innovation. The bazaar's demonstrated ability to provide rapid innovatation makes defense much extremely difficult. Rather than a single 9/11 style attack, we may see small attacks (less planning and training, fewer people, less support) against a plethora of targets. With a sufficient number of guerrilla networks unearthing vulnerabilities (particularly ones with system's leverage), security forces will likey be outmatched.

Sunday, 05 September 2004

A long term target of global guerrillas in our emerging war, will be the large infrastructure networks that our national economy relies upon (as do all modern developed economies). The most critical and complex network is our power grid which contains over 1 m kilometers of high-voltage power lines between 115 -765 kVs. The network can be further subdivided into the following:

1,633 generator nodes.

2,179 disribution substation nodes.

10,287 transmission substation nodes.

Network Analysis
In recent paper, "Structural Vulnerability of the North American Power Grid," Reka Albert (et. al.) analyzed the vulnerability of the power grid based on modern techniques (see "Cascading System Failure" for more on the vulnerability of scale free networks). The key to this analysis is to find those nodes that serve as "hubs" for the network. The hubs, if taken out during an attack, have the greatest likelihood to disrupt the network and create a cascade of failure. They found the following:

Highly connected nodes are a mix. Power engineering principles correctly suggest that the majority of highly connected nodes will be power plants (see "Design Flaws: Methods of Attacking Critical Infrastructure" for more). However, contrary to expectations, a small number of transmission substation nodes serve are also highly connected -- 50 have a degree higher than 10.

1% of the transmission substations are high load nodes. These high load substations are nodes with high betweeness (a high load of shortest paths between nodes on the network). These substations aren't necessarily highly connected nodes and some are merely high load throughput for long-haul connectivity (a critical part of the US power grid since 50% of the electricity generated is allocated via the wholesale market, much of it over long distances due to NIMBY restrictions on local power production). High load nodes are best termed the "hubs" of the network.

900 of the distribution substations can potentially become isolated clusters (41% of the total). This means that these substations are only lightly connected to the grid. If the transmission substation that connects them is taken off-line via an attack, they are disconnected from power generation and go dark.

Methods of Attack
This research indicates the potential success of different modes of global guerrilla attack against a modern power grid:

Attacks on power substations and their direct connectivity will have little impact. The high degree of redundancy at the power substation level prevents major system failure. This is in stark contrast to the simple, production limited system in Iraq (see "Iraq: Electricity Disruption" for more) where the removal of a power plant from the grid will have a major impact. A big caveat on this "finding" is: this analysis doesn't account for "base power" generation from large producers (hydro-electric and nuclear). Power production isn't homogeneous. The elimination of these large systems from the grid would result in major disruption.

Attacks on transmission substations yields the greatest system impact. In general, the removal of high load substations is more important than highly connected substations. A loss of only 4% of the highest load transmission hubs disconnects 60% of the grid from power.

Cascading failures can amplify the impact of high-load node removal. Cascading failure can shut down 60% of the grid with the removal of only 2% of the high-load nodes. If 1% are removed, 40% of the grid goes dark. I suspect that better analysis based on sorting the high-load nodes by the quality of their connections (based on voltage, with the high quality nodes as those with the largest number of high voltage connections) would radically reduce the number of failed nodes needed for a system-wide cascade.

End Note: The implication is that an carefully prepared simultaneous attack against 10-20 substations of the right type could take 60% of the US end-users offline for an extended period (potentially weeks). If exploited by additional well planned attacks, this damage could be extended indefinitely.

The solution to all of this type of vulnerability, isn't a complete rework of the grid. Instead, it's a resilient community. A community that produces most of what it needs locally.

Sunday, 29 August 2004

Global guerrillas can gain leverage from small attacks by assiduous study of the dynamics of the networks they attack. Within scale free networks with dynamic flows (electricity, information, etc.), cascades of failure can be induced by attacking central hi-load nodes (see the brief Cascading System Failure for more). These nodes can be identified as those with a high betweeness centrality, a term used to describe those nodes with the largest number of "shortest paths" that pass through them. When these nodes are shut down through an attack, the flow they handle (most likely with expensive high capacity equipment) is automatically routed to other lower capacity nodes that fail under the load (a cascade of failure). Within global guerrilla warfare, these critical nodes are called systempunkts -- the point at which an attack will cause systemic collapse.

A Proposed Defense
Traditional methods of defense against cascading failure include "islanding," homogeneity, and radical redundancy. Unfortunately, all of these techniques are either too drastic (islanding) or expensive (homogeneity and radical redundancy) to be good solutions. Adilson Motter, from the Max Planck Institute, offers a more elegant solution in his paper, "Cascade Control in Complex Networks." He proposes that cascades can be controlled by (he proposes an algorithmic approach):

Disconnecting peripheral transmitting nodes. Networks with dynamic flows have two types of nodes. Those that transmit flow and those that convey flow. Hi-load nodes, in scale-free networks of this type, are those that convey flow. To protect against too much flow on the remaining low capacity nodes, transmitting (or production) nodes should be selectively disconnected from network. This will allow the network to remain with capacity limitations and thereby limit the spread of the cascade.

Pruning central links. When central hi-load nodes fail, the loads they previously conveyed are re-routed via new central links. If those overloaded cental links are pruned (eliminated), it may be possible to prevent a general cascade. Essentially, this action will push the cascade back towards the transmitting nodes that are oversupplying the network.

Wednesday, 14 July 2004

Stigmergy is a term used in biology (from the work of french biologist Pierre-Paul Grasse) to describe environmental mechanisms for coordinating the work of independent actors (for example, ants use pheromones to create trails and people use weblog links to establish information paths, for others to follow). The term is derived from the greek words stigma ("sign") and ergon ("to act"). Stigmergy can be used as a mechanism to understand underlying patterns in swarming activity. As such, it can be applied to the understanding of swarming attacks by diverse bands of global guerrilla. The stigmergic information system that operates in Iraq is the bazaar of violence. A knowledge of stigmergy is a key to understanding how these groups learn.

Stigmergic systems use simple environmental signals to coordinate that actions of independent agents (each with their own decision making process). These signals are used to coordinate scalable, robust, and dynamic activity. This activity is often much more intelligent that the actions capable by the individual actors (in this case individual global guerrilla groups). There are four basic mechanisms of environmental coordination. They are:

Marker-based. Markers or signs left by actors influence the action of other actors. In the GG (global guerrilla) context this is the site of an attack and the news of the attack that is delivered by the media. The description of the attack in the media is stigmergic marker for others to follow.

Sematectonic. Environmental conditions influence the behavior of all actors in the system. For GGs, multiple attacks on a certain type of target can generate a security response by the nation-state that changes the potential of attacks against that type of target in the immediate future. An increased security presence for those types of targets is a sematectonic signal to select something else.

Quantitative. The environmental signals are of a single scalable type. The size of a Global Guerrilla attack on a given location can meter the scale of the security response.

Qualitative. The environmental signals are of a varied type that change the message based on their combination. Different types of attacks on the same target (the length of power outages in Baghdad) will yield information on the type of attack that is the most effective.

A deeper understanding of the stigmergic signaling between global guerrillas will enable the development of ways to disrupt their activity. The examples listed above are by no means exhaustive (I will include a longer list in my book on Global Guerrillas).

Wednesday, 02 June 2004

In today's complex world, infrastructure failures aren't limited to a single network. They spread across networks due to a complex interplay of interdependencies. What's worse is that these interdependencies are often both tightly coupled (connections that rapidly spread a failure to other systems) and non-linear (feedback loops magnify the impact of failures). Global Guerrillas will use these interconnections and interdependencies to take-down complete infrastructures through seemingly small attacks.

Exclusive -- a network that can only support one or few outputs, may be transient. Example: Oil/Gasoline pipelines.

Types of Failure
Global guerrillas will plan attacks to create the following types of failure. See inset diagram to understand how a failure in electricity production can impact other networks.

Cascade Failure: cascades of failure (see Cascading System Failure for more background) can spread quickly from one network to another through "input" and "mutual" interdependencies.

Escalating Failure: the failure in one networked infrastructure can exacerbate a failure in another network. This failure is typically due to "shared" or "exclusivity" interdependencies. For example: an attack against transportation network would slow repair of an electricity failure.

Common Cause Failure: this failure is due to a single attack that directly impacts two or more networks. This failure is typically due to geographical "co-location."

Infrastructure Meltdowns
Given these attributes, how will global guerrillas attack infrastructures? They will likely follow this basic formula (I will go into this in much more detail in my book on Global Guerrillas, out this fall):

Physically attack or isolate the communications of response/control center personnel and/or corporate senior management to delay recovery. An example of a previous al Qaeda op from Navy Commander James Pelkofski: In the attack on the U.S. embassy in Nairobi, Kenya, a truck carrying explosives approached the main embassy gate, possibly posing as a delivery vehicle. It was redirected by guards to a back gate. There, a gun and grenade attack on security personnel by as many as three assailants preceded the explosion that destroyed the embassy. The preliminary gun and grenade assault ensured the primary weapon, the truck bomb, was delivered into the compound with devastating effect.

Use combined arms to attack critical points. A combination of explosives (or equivalents), high energy radio frequency weapons (HERFs or "herfing" -- see "Homemade Microwave Weapons" for more), and computer hacking of control systems (SCADA).

Conduct sequential attacks across multiple infrastructures to amplify and extend the impact.

Monday, 24 May 2004

Global infrastructure networks are the Achilles heal of the great powers. They form the basis of our wealth and our daily function yet remain extremely vulnerable. It's then little wonder that next generation terrorists, in the form of global guerrillas, will focus their efforts on the destruction of this global infrastructure. In previous posts we explored the vulnerability of scale free networks. This analysis showed that the removal of a few highly connected nodes can cause a network to fail (by dividing the network into isolated islands of connectivity). However, the analysis of dynamic networks indicates that there may be an even easier way to collapse infrastructure networks: cascading failure.

Dynamic Networks and Cascading Failures
Static maps of a network's connectivity (like a scale free network topology) don't provide a true picture of an infrastructure network's operation. Infrastructures are dynamic. There are flows of information, power, and substances constantly coursing through them. This dynamism creates a new set of vulnerabilities that can be exploited by global guerrillas. Here's how cascading network failures occur in dynamic networks when they lose high-load nodes (the loss of even a single high-load node can result in system-wide cascading failure):

Load redistribution. In most infrastructure networks, the loads carried by each node on the network are dynamically redistributed. If a network node is lost, due to accident or attack, the load that node carries is rapidly distributed to the other nodes on the network.

Hi-load nodes and failure. If a high-load node is removed from the network, the loads it carries are redistributed to other nodes on the network. This increased flow causes less capable nodes to exceed their capacity. To protect these nodes from damage, many networks will automatically force the overloaded node to fail-over (shut down). In other networks, the increased congestion will cause the overloaded node to become inefficient (bog down). Regardless, the result is a series of shut-downs or slow-downs that "cascade" through the network as the excess load is pushed to the next available node. The end result is total network failure.

Heterogeneous networks. Cascading failures only occur in heterogeneous networks where there are a few nodes that have the capacity for high-loads and many with the capacity only for low-loads. Homogeneous networks, where all the nodes handle an equal load do not suffer cascading failure. Unfortunately, all infrastructure networks are heterogeneous by design.

NOTE: Cascading failures do not cleanly apply to terrorist "social" networks. In social networks, the network nodes are people and the flow is information/knowledge/etc. When a high-load node is removed, the remaining nodes will not fail due to an increase in load. People can adapt dynamically. For example: they can prioritize the new loads they inherit which mitigates the impact of a high-load node loss to the network.

High-load node identification. There is a high level of correlation between the number of connections a node has and the amount of load it carries. Additionally, many infrastructure networks (oil, gas, electricity, etc.)concentrate production of the flow that travels through the network. In these networks, high-load nodes can be identified as those nodes that are immediately downstream from production facilities. In other networks high-load nodes are the most central (communication networks).

Connections instead of nodes. A non obvious approach to node failure is to attack the connections radiating from high-load nodes. The result of an attack on the connections between nodes will be the redistribution of the load carried by the damaged connection to the remaining connections. This will result in the failure of a high-load node when the remaining connections fail due to overloading (see diagram).

Network suppliers. Some networks are vulnerable to undersupply (gas, electricity, and water). In these networks, an attack on a supply facility or connections from a supply facility will produce network failure as undersupplied nodes pull resources from the rest of the network (see diagram).

Monday, 17 May 2004

Complex infrastructure often exhibits extreme levels of vulnerability to non-planned events. The reason for this is may be found in an area of complexity research called highly optimized tolerance (HOT). HOT research has found that complex networks, like most global infrastructure, exhibit behaviors explained by the design considerations of its makers. The end-result of this planning is a network that is extremely robust against certain types of anticipated failures/insults but conversely is hypersensitive to unanticipated classes of uncertainty. NOTE: this isn't as obvious as it seems. Complex systems, like the Internet, operate well beyond the influence of any central management group and the thinking of the original designers. This research shows that the core design and operational decisions made by these groups does have a major impact on the ability of the system to respond to damage.

Design Flaws
The crux of this analysis is that global guerrillas can exploit the assumptions of designers to create major distruptions in complex networks. Further, once this is done, the network will likely work for the attacker by causing damage to itself (from outage responses gone awry to increased costs of operation). NOTE: This is very much the approach Lawrence of Arabia used in his Arab revolt. He attacked the Turk's train system which the designer's/users assumed to be safe because it was well to the rear of the front lines and it traversed remote areas.

NOTE: This next section is an area that I am spooling up on. I do think it is possible to exploit system designer/operator assumptions. These assumptions create systemic flaws and not just spot opportunities. When I get it right, this will be a very useful section.

Global Guerrilla Operations Manual>Infrastructure Attack>Planning
(NOTE: this is a red-hat/oppositional approach to diving into a topic, don't be alarmed). When planning an attack on infrastructure (oil, electricity, gas, etc.), it is important to consider what the designers of the network had in mind. An examination of assumptions can lead to methods of exploitation. Let's walk through the exercise.

General considerations. All large-scale infrastructure network designers follow the same general process:

The economic performance of the network needs to be optimized (efficiency often trumps safety).

They don't have sufficient resources to defend against all potential threats (limited means).

Security is focus on the most recent, highest profile, and common threats (all of which have some historical basis) NOTE: I know that good network designers would say they make no assumptions as to what future threats would be and they are constantly updating systems in response to new threats and ongoing assessments. However, that isn't the case in the vast majority of deployed systems, particularly large infrastructure networks.

Here are some general assumptions planners use in network design. They will not apply to all systems. These questions are better used as a way to start a thinking process on the topic (NOTE: I am working on these. This list is in the process of revision.).

Assumption: the lowest cost routes are often best (Oil, Gas, and goods transport).

Assumption: Large nodes (those that handle more load than others) are efficient (All networks).

Assumption: the shortest path is the best path (Internet and Power).

Assumption: hub and spoke systems are often efficient (Airlines).

Assumption: outsourcing of network elements is often efficient (deregulated networks).

Assumption: the systems environment is permissive (all networks -- in that crews will not be attacked).

Assumption: parts of the system in remote areas are secure due to their inaccessibility (oil and Power).

Assumption: external support networks will work as advertised (Oil, Power, .

Make your own list of design assumptions that can be exploited within the system you are focusing on. Rank the potential attacks unearthed through this process according to operational factors.

Friday, 14 May 2004

Global economic networks, like today's oil networks, are typically sparse (few nodes), hierarchical (an inverted pyramid of distribution), concentrated (big hubs), and vulnerable (not built with security in mind). When we look at the global oil network we find that the biggest network hub is Saudi Arabia. Within Saudi Arabia, production is highly concentrated with few major hubs --a handful of fields produce the vast majority of its oil. This pattern of field concentration follows the King (the supergiant), Queen (giants), and Lords (large) rule, which is true for all major oil basins. Let's sort the Saudi fields according to this rule:

The King. Ghawar. The world's King of Kings. Discovered 1948/49. Ghawar has produced 60-65% of all Saudi oil between 1948-2000. It produces over 5 m barrels a day (~6.25% of global production). There is even zonal concentration within Ghawar -- Arab D.

The strategic risks
This pattern of concentration indicates that the global focal point of the world's oil system is Ghawar. It's the mega-hub of the global oil network. Let's therefore examine the risks to Ghawar. There are three main categories of risk:

Data risk. There is very little reliable data on oil production/reserves in OPEC nations (for example: reserve estimates are often inflated). The recent Royal Dutch/Shell experience (they downgraded reserve estimates by 20%, twice due to optimistic estimates) demonstrates the dire financial consequenses of this behavior. There is reason to believe that ARAMCO may be following a similar policy given the fuzzy data on Ghawar's reserves.

Technology risk. Technological improvements may not be sufficient to radically extend the lives of large fields. The rapid decline of Oman's Yibal field, despite its use of advanced technology, is an example this. Recent indicators imply that Ghawar is running into the same problems as Yibal did.

Global guerrilla risk (terrorism). As seen in the recent attacks on oil facilities/personnel in Iraq and Saudi Arabia. An attack on Ghawar, particularly Arab D, could radically impact world oil supply.

The implications
The global oil network is tightly coupled to global economic activity (via inflation). There is robust historical data on the economic costs of previous disruptions. Further, the global oil market is very inelastic in the short-term (this means that even minor decreases in supply result in large price increases). The reason for this is that it takes a significant amount of time for customers to switch to alternative fuels or implement conservation measures. Here's how oil network disruptions would cascade into global economic activity if the risks detailed above are realized:

Fear of attack or disclosure of error. Current oil prices (over $40) are the result of a fear of terrorism and increased demand. A similar price could be expected if data or technological risk are proven to be real. A sustained price of $40 will reduce global growth by 1% (-$500 billion in the first year).

Large attack. A successful attack on Ghawar and Basra would result in a price of $160 a barrel. Global economic growth would slow by 4.55% (a -$2.25 trillon loss) -- essentially a global depression.

Our response should be
Given this analysis, global guerrilla risk to Ghawar, as the global mega-hub of oil production, is the most dangerous of the risks we face. In 4GW terms, the miracle of Ghawar's production is a great strength but it can be turned against us. To mitigate this we should undertake the following:

A push for better data. Transparency is a must for data an technological risk reduction.

Conservation and alternative energy sources. This is a long-term solution but is necessary to reduce the our exposure to oil concentration.

Increased protection of Ghawar and Basra. Protection of Ghawar is extremely important. Unfortunately, this is not as simple as it seems. There are lots of targets. Ghawar is vulnerable to attacks on: wells, personnel, management systems, pipelines, water facilities (water is injected into the field to push out oil), power facilities, power transmission, and more. A creative global guerrilla could have a field day given the number of potential targets that would directly impact production at Ghawar.

Friday, 07 May 2004

Scale-free networks are everywhere. The can be seen in airline traffic routes, connections between actors in Hollywood, weblog links, sexual relationships, and terrorist networks. So what exactly is a scale-free network? A scale-free network is one that obeys a power law distribution in the number of connections between nodes on the network. Some few nodes exhibit extremely high connectivity (essentially scale-free) while the vast majority are relatively poorly connected. The reason that scale-free networks emerge, as opposed to evenly distributed random networks, is due to these factors:

Rapid growth confers preference to early entrants. The longer a node has been in place the greater the number of links to it. First mover advantage is very important.

In an environment of too much information people link to nodes that are easier to find. This preferential linking reinforces itself by making the easier to find nodes even more easy to find.

The greater the capacity of the hub (bandwidth, work ethic, etc.) the faster its growth.

The Strength and Weaknesses of Scale-Free Networks
The proliferation of scale-free networks and our increasing dependence on them (particularly given their prevalence in energy, transportation, and communications systems) begs the question: how reliable are these networks? Here's some insight into this:

Scale-free networks are extremely tolerant of random failures. In a random network, a small number of random failures can collapse the network. A scale-free network can absorb random failures up to 80% of its nodes before it collapses. The reason for this is the inhomogeneity of the nodes on the network -- failures are much more likely to occur on relatively small nodes.

Scale-free networks are extremely vulnerable to intentional attacks on their hubs. Attacks that simultaneously eliminate as few as 5-15% of a scale-free network's hubs can collapse the network. Simultaneity of an attack on hubs is important. Scale-free networks can heal themselves rapidly if an insufficient number of hubs necessary for a systemic collapse are removed.

Scale-free networks are extremely vulnerable to epidemics. In random networks, epidemics need to surpass a critical threshold (a number of nodes infected) before it propogates system-wide. Below the threshold, the epidemic dies out. Above the threshold, the epidemic spreads exponentially. Recent evidence indicates that the threshold for epidemics on scale-free networks is zero.

What this means for Counter-terrorists
Given the vulnerability of scale-free networks to intentional disruption, what does this mean for counter-terrorist planners (which I hope, but doubt, they are thinking about)? This theory has strong implications for defense as well as offense given that terrorist networks are likely highly heterogeneous. Here's what it means:

Eliminating terrorist network hubs will likely not be effective. Non-state terrorist networks exhibit small world properties (see "TERRORIST CELLS" for more). This means that while large hubs still dominate the network, the presence of tight clusters (cells), continues to provide local connectivity when the hubs are removed. This implies that the attack on al Qaeda's Afghanistan training camps (the location of multiple hubs) did not collapse its network in any meaningful way. Rather, it atomized the network into anonymous clusters of connectivity until the hubs could reassert their priority again. Additionally, many of these clusters, even without the global connectivity provided by the hubs, will still be able to conduct attacks if they are of sufficient size and complexity (a variety of skill sets). A better approach may be to observe the hubs covertly to assertain the location of local clusters that need to be shut down.

Critical terrorist social network hubs cannot be identified based on the number of links alone. Hubs vary in value depending on multiple vectors such as depth of connections (strong face-to-face social history is extremely important for trust development in covert networks -- see MAPPING TERRORIST NETWORKS for more), frequency of contact (which may indicate the individual is a conduit for information flow rather than an resource), and duration of links (which is tied to the importance of that individuals skill set to ongoing operations of cells they connect to). Analysis of the network along each of vectors can make for better decision making.

Defense against attacks on hubs can be achieved in ways other than physical defense. These methods include: increasing the capacity of all hubs to absorb the taffic of failed hubs (a kind of surge protection), limiting or decreasing the maximum number of connections to any one hub (reduction in criticality), and increasing the cross connectivity of the network (local pooling of resources).

Monday, 03 May 2004

Non-state terrorist networks enjoy many advantages over the traditional hierarchies of nation-states. They learn, share, innovate, and survive disruption better than hierarchies. This strongly implies that best way to defeat these terrorist networks is to adopt a network architecture ourselves. The best approach to begin this process of transformation is to establish a nation-wide intelligence network. The advantages of a national intelligence network are real. For example: almost all of the information needed to identify and stop 9/11, the DC sniper, and the first World Trade Center attack was present in the nation's intelligence/information system prior to the occurance of the events. It was the current network's flaws: stove piping, one-way flows, gaps, over centralization, security restrictions, interfaces, and multiple technologies that prevented the timely use of this information. To prevent future attacks, the Markle Foundation has prepared a 2003 report, "Creating a Trusted Network for Homeland Security" (PDF) that recommends building a dynamic and decentralized national intelligence network.

What's needed: A national Weblog/Wiki network
These requirements beg the question: what system would enable all of this functionality? The simple and powerful answer is (it is the only system I know of that can accomplish this): a weblog/wiki network with fast search indexing (along the lines of what we have been talking about on K-logs for the last three years). A network of this type will:

Easy directory development through a Wiki (see the Wikipedia for an example) and OPML (Outline Processor Markup Language -- based on XML).

Open architecture using XML. Weblogs use XML. Both RSS and OPML are XML based.

Able to handle multiple data types. Weblogs allow the publishing and the reciept (automated if necessary through RSS enclosures) of multiple data types. Also, search engines like Google allow these data types to be easily searched once published.

Let's get moving!
A national intelligence system of this type can scale to a global level, linking up open societies everywhere there is an Internet connection. The only requirement necessary to start this is the decision to start -- the expense would be negligible (tens of millions), training would be almost unnecessary (Web standards are used -- almost everyone knows how to type an e-mail or search using Google), and time needed to impliment short (less than a year from the word go to launch of the basic system). If you would like to discuss this in depth, please contact me directly.

As terrorists move the global guerrilla war paradigm, infrastructure becomes the main focus of attacks. The recent attacks on the Iraq's al Baqra oil terminal (see Journal: Attacks on systems?) and the deadly attack on western petroleum employees in Saudi Arabia, indicate that this shift is already going on. However, US oil infrastructure vulnerability isn't limited to international production and transport, there are significant vulnerabilities within US borders. As with most US infrastructure there are extreme levels of concentration due to under investment and efficiency. Allegro Energy Group's, "How Pipelines Make the US Energy System Work," (PDF) provides insight into this issue.

Transport concentration. A large majority of US oil (68%) is delivered by domestic pipelines. The US oil pipeline infrastructure is extremely concentrated with relatively few large pipelines. Additionally, US pipelines ship more than just oil. They also provide transport for: diesel and gas. An attack on a pipeline will have an impact on multiple markets. Experience in Iraq shows that even limited physical attacks against oil pipeline infrastructure can disrupt transport for extended periods (months). These physical attacks can be made with relative ease.

Control system concentration. As with the power system, the US oil system relies on a security-free command and control system (a SCADA network). This system lacks encryption, operates on open networks, and is easily hacked (see "Power Peril" for more on control system vulnerabilities).

Production concentration. The Gulf Coast provides 55% of domestic crude and 47% of refined product production. This presents a similar vulnerability to the al Baqra oil terminal. A single, well planned attack could provide strategic impact that could not be easily replaced.

How to Limit this Vulnerability
The US oil industry has made some efforts to improve security on our pipeline infrastructure including: increased security for critical facilities, improved coordination with law enforcement, and an Internet mapping system. Unfortunately, the industry is in deep denial as to the potential threat. For example, here's a recent quote form an industry body: "When it comes to pipeline safety and security, Americans have little to fear." A more realistic response would be to add the following security measures:

A system wide security sensor network and an encypted/secure command and control network. Sensor and wireless technology has made amazing strides over the last decade. It's time to bite the bullet and invest in these networks.

An industry sponsored private military rapid response team. Infrastructure industries should not rely on US law enforcement for dedicated help. The private military market (which has become both large and sophisticated over the last decade) can provide a high quality dedicated force that can quickly respond to incidents to limit damage.

Redundancy and local stockpiling. This approach requires a change in mindset from just-in-time delivery (which is efficient) to continuity of supply (which takes into account customer costs due to a disruption of supply).

Sunday, 25 April 2004

Covert terrorist networks, like the global guerrilla networks that will follow, are in constant motion. While traditional social network analysis is useful as a snapshot of an operation (see "Mapping Terrorist Networks"), it breaks down quickly as the network alters form and focus. It is also poor in predicting configurations and key actors in the face of incomplete information. A more robust method is proposed by Kathleen Carley (of the Univ. of Michigan) in her paper, "Dynamic Network Analyis" (PDF). She defines dynamic network analysis as:

Dynamic network analysis (DNA) varies from traditional social network analysis in that it can handle large dynamic multi-mode, multi-link networks with varying levels of uncertainty. DNA, like quantum mechanics, would be a theory in which relations are probabilistic, the measurement of a node changes its properties, movement in one part of the system propagates through the system, and so on.

Carley applies this technique to the isolation (assassination, arrest/incarceration, or taint) of key members and its ability to recover from this insult. She finds:

They type of network matters. Cellular networks are more robust than hierarchies (no surprise here).

Networks can heal themselves (quickly). Cellular "network structures are able to heal relatively faster than other structures both in terms of the re-emergence of leaders and in terms of performance recoveries after personnel have been removed."

Full knowledge of the network isn't needed. As opposed to social network analysis, which requires nearly perfect knowledge (often historical), dynamic analysis can be effective with knowledge of only 50% of a network's members.

Friday, 23 April 2004

A good way to understand how terrorist networks work is to map them. A well constructed map provides insight into how the network operates. In his paper, "Uncloaking Terrorist Networks" Valdis Krebs uses social network analysis to map the terrorist network that attacked on 9/11. Despite incomplete knowledge of all the connections between members, his analysis is still cogent and probably fairly close to reality. Here's what he found out about the networks structure:

A sparse operational network. The 19 members of the operational cells (the actual 9/11 hijackers) were relatively isolated. The mean path length -- the average number of hops between any one member of the network to any other -- was a high 4.75. The greatest number of network connections between members was 5. Additionally, key members pulsed connections to other key members in the network through brief coordination meetings. These brief meetings reduced the distance between operational members by 40% (from a mean path length of 4.75 to 2.79).

A larger administrative network to support the operational teams. The administration network provided a means to "keep alive" many of the weak connections between sparsely connected members of the operational network. They also provided much of the ongoing care needed to prepare an otherwise isolated operational team member for the attack.

A leadership structure despite a lack of formal hierarchy. When the network is looked at in its entirety (operational plus administrative), Mohammed Atta emerged as the leader. Atta had 22 connections to other people in the network, much more than any other (the nearest other outlier was 18). Mohammed Atta's position on the network gave him control of its operation. Atta scored high in all measures of network connectivity: degrees (activity on the network), closeness (his ability to access others on the network -- fewer number of hops), and betweeness (control over the network -- a central position that allowed him to broker the flow of information across the network).

The costs and benefits of this network configuration

Al Qaeda didn't design this network. It grew organically based on a combination of the operational requirements and the initiative of its members. Despite this organic nature, the design worked extremely well. Here are the dynamics:

The interplay of distance in the operational network and the closeness of the administrative network enhanced the network's operation. The intentional lengthening of the mean path in the operational network improved the security of the network (no one member knew a majority of the others). The administrative network mitigated the detrimental aspects of this configuration (less learning, poorer planning, etc.) by helping to lower the mean path between members. It also provided supplemental clusters of skills and capabilities to provide localized enhancement of the operational network. NOTE: Notice that three of the four the operational cells were at the minimum size for small groups while the entire group -- operational plus administrative -- is at the optimal size for a medium sized group (see "What is the optimal size of a terrorist network?") The only small cell that failed (crashed in PA) was below the lower limit of five members.

Trust between members of the network was based on deep relationships. Many of the relationships between members of the 9/11 terrorist network were developed years before in the al Qaeda training camps in Afghanistan. This prior knowledge/experience allowed the communication between network members to operate at a high degree of sophistication. It also lowered the transaction costs of forming and operating the network (which may be one of the keys to why these networks can be so lean -- more on this later, its a complicated issue that will take some explaining). The downside to this trust requirement is that people with unique skills may not be included.

There was too much overlap between unique skill sets and leadership positions in the network. Examination of the network indicates that the trained pilots (a unique skill) were also the network leaders (identified by the number of connections). This overlap of skills/responsibilities made the network vulnerable. The reason for this is probably a combination of personal bias of Mohammed Atta when building this network and the requirement for an extreme level of commitment necessary to conduct a kamikaze operation.

Hard Lessons

The 9/11 terrorist network will likely serve as a model for future activities. Here's what can be applied to future counter-terrorist efforts:

Expect these operational networks to be run by relative unknowns.Osama bin Laden, nor many of his top aides, were not a direct part of the network map. Osama's absence indicates that he has a "hands-off" management style. He does not micromanage. The network structure indicates that projects sponsored by al Qaeda are operated like independent businesses that acquire their own resources, do their own planning, and execute their plans without reference to senior authority. This is further support for the idea that bin Laden is operating a venture capital incubator model of terrorism. This also implies that Osama's removal will likely not have any measurable impact since al Qaeda's operations are run by entrepreneurs over the period of years.

Assassination of a single network leader will not work. Despite the concentration of leadership and unique skills in Mohammed Atta, his assassination would not have prevented the operation. A second emergent leader with a high degree of connectivity was present: Marwan al-Shehhi. If Atta was removed, his loss would have eliminated one cell from the operational team (he was a pilot) while leaving most of the network intact. In order to disrupt the network fully, multiple high flow targets must be taken out simultaneously in order to prevent the emergence of alternative leadership. NOTE: There also is a high degree of dynamism in the network structure not captured by this analysis. This will be a topic of future analysis.

Strategic attacks are possible with a network of less than 70 people. The small size, and low cost, of the 9/11 terrorist network should give pause to all counter-terrorist planners. Given that an estimated 100,000 people trained in Afghanistan, the potential for replays of 9/11 style strategic attacks is very high. The key members of the 9/11 network relied on trust built on face-to-face meetings in the Afghanistan camps. This implies that the key to unraveling the entire network is to gain access to Osama's list of people who trained in the camps (al Qaeda literally means "the database").

Tuesday, 20 April 2004

The Web provides a terrorist networks with the means to route around corporate media and take their message directlly to a global audience. However, how good are these sites at accomplishing their goals (with both internal audiences and external audiences) and what can these sites tell us about where terrorism is headed? Gabriel Weimann, in his new study, "www.terror.net: How Modern Terrorism uses the Internet" provides us with some of the insight needed to answer these questions. His team's review of these sites uncovered the following elements:

Site Content

A history of the organization.

A detailed overview of its political and social background.

Accounts of their exploits.

Details of its leaders, founders, and heros.

Information on its political and ideological goals.

Fierce criticism of its enemies.

Up-to-date news.

Maps of the area in dispute (for nationalist organizations).

Target Audience

Current and future supporters (local languages and collateral material such as T-shirts and tapes).

International public opinion including foreign journalists (via translations and press releases).

Enemy populations (threats and material on the enemy's guilt).

Site Goals

Psychological wafare (threats of impending "massive attacks").

Publicity and propaganda (an explanation for why the group chose violence).

Planning and coordination (active planning using password protection and encryption).

How effective are these sites?
There are a variety of methods by which to analyze the effectiveness of these sites. These include:

User-experience failures. Most terrorist sites seem to be fairly effective at serving the needs and expectations of current and future supporters. However, two user profiles are underserved: international public opinion and enemy populations. This failure limits the impact of these sites as a means of psychological warfare and propoganda. Improvement in this area should be monitored closely. NOTE: Recent experience in the US presidential campaign indicates that these sites will never be effective as a means of influencing general audiences (the stipulated underserved profiles mentioned above). Rather, these sites will always be better as a means of "activating" geographically dispersed supporters.

Impermanence disrupts audience growth. Terrorist sites are under constant attack. These attacks often force them to shift location (sometimes on an hourly basis). This breaks bookmarks, search engine listings, and linkage. This often also leads to substandard hosting locations (see the Hizbollah site -- on a very slow connection). This lack of stability puts strong limits on audience size. Items to watch: increasing leverage of search engine caches, horizontal proliferation (via simple publishing technologies), and P2P distrubution.

A corporate communications approach limits appeal. Most sites use the language of press releases (dry and on message). This lack of a personal voice distances the group from those audiences that it attempts to service. As a result, groups are seen as impersonal and mechanistic. Watch for: the emergence of a personal voice in terrorist propoganda via the application of community features.

Where is terrorism headed?
This review of terrorists sites offers several strong clues as to the future direction of terrorism. These clues are:

New technologies will expand the impact of terrorist Web sites. The advent of weblogs, RSS, and other forms of social software has not had an impact on the terrorist world yet. However, this software will soon arrive and bring with it the ability to improve online efforts. This new technology will improve fundraising, activate supporters on the sidelines, enhance skill/information sharing, and increase survivability. NOTE: This shift is already in motion. Hamasonline for example, uses a weblog style front page.

Direct clues. Given the loose non-hierarchical structure of terrorist networks, shifts in global strategy are often publicized on group Web sites. For example, Osama bin Laden posted the following item which indicates a shift from terror to system sabotage, “America is in retreat by the Grace of Almighty and economic attrition is continuing up to today. But it needs further blows. The young men need to seek out the nodes of the American economy and strike the enemy’s nodes.” This portends a shift to system attacks.

The message realigns actions. Most terrorist sites, except Hamas and Hezbollah, do not claim or detail their terror attacks. This reflects an unstated recognition that these attacks actually harm achievement of their goals by alienating audiences. Over time, there will be a closer alignment between the stated goals on the Web sites of the terrorist networks and their actions. The Web message, given its use as a means of intra and inter network communication, will overwhelm historical biases towards body-count centric attacks. This alignment will be accomplished by shifting to assualts on systems rather than people.

Thursday, 15 April 2004

Nassim Taleb, a scientist-philosopher-businessman, makes the case that 9/11 was a black swan. A black swan is a unpredictable event that defies prediction. An outlier. I agree. He expands:

A vicious black swan has an additional elusive property: its very unexpectedness helps create the conditions for it to occur. Had a terrorist attack been a conceivable risk on Sept. 10, 2001, it would likely not have happened.

In their analysis of black swans (which by definition will likely never be repeated), human beings engage in what is called hindsight bias. This is the tendency to believe that the event was predictable based on knowledge gained after the event occured. In effect, people unknowingly substitute current knowledge of outcomes into the gaps of knowledge that were present when building earlier expectations of potential events. In regards to 9/11, Nassim points out the following (with additional analysis from this weblogger given the complexity of the topic):

We will focus on specificity at the expense of the holistic. 9/11 analysis has unearthed specific facts (the Phoenix memo for example) that may have enabled the prevention of the event. These factual revelations have resulted in a useless blame game. The flaw is that specific facts taken out of context prevents sufficient consideration of the larger informational landscape. A better approach is to develop general knowledge that can be used to improve future responses (improvements in intelligence information flow for example).

We won't compare the negligence in this single case to the normal rate of negligence. It is impossible to guard against everything. We don't have infinite resources. That is as true today as it was before 9/11. A real test of negligence during the pre-9/11 time period is to examine whether resources applied in other areas of security were ineffective too. If they weren't effective, there are major systemic problems that need to be fixed.

We will assume that is possible to incentivize behavior that prevents future black swans. Prevention of uncertain events is almost impossible to quantify in any meaningful way -- a necessary step for the establishment of incentives. Notice how few people in the government lost their job due to 9/11. This is an example of the failure of incentives to guard against black swans despite assumptions to the contrary.

His recommendation: the government should hire creative thinkers that can imagine the impossible. The reason, unstated, is that these people will challenge existing expectations.

This analysis is smart. Here is my attempt at creative thinking. The attack on 9/11 was an outlier in scale, scope, and breadth in comparison to previous terrorist incidents. In many ways was a continuation of an existing pattern (see the Terrorist Deathmarch). That "Deathmarch" pattern should be considered an essential element of the general knowledge we can use to prevent future attacks. However, despite this knowledge, future attacks will likely be black swans too. The reason is that terrorism is in the process of evolving into a new forms. Strategy is a dynamic process, it evolves (sometimes quickly). This is because the collective minds of both warring parties are constantly innovating to best the other.

Creative thinking on what these new forms of terrorism will likely be is essential. This is the reason I created this weblog (and the reason I am writing my book).

Saturday, 10 April 2004

The US electrical infrastructure is extremely vulnerable to deliberate disruption (this isn't only a US problem). This is disturbing given that the vast majority of the US economy is tightly linked to the availability of electricity. The potential of wide-scale, sustained disruption is extremely likely given structural factors in the power industry and the increasing amount of intelligence data that indicates terrorists are targeting infrastructure. Massoud Amin of EPRI (Electric Power Research Institute), concludes in his presentation "Electricity Infrastructure Vulnerabilities" (PDF) and his article "Security Challenges for the Electricity Infrastructure" that these structural problems are:

Underinvestment. The power industry ranks near the bottom of all US industries in R&D spending as a percentage of sales. Further, transmission and generation capacity has fallen well behind demand for over 30 years. The result is that the current power infrastructure is at a critical level of usage, which makes it easy to disrupt. The lack of R&D spending means that there aren't any solutions ready for immediate deployment.

Over centralization. In the pursuit of efficiency, power infrastructure has become increasingly centralized. Additionally, the power system control system was built without security (a cost) in mind and commonly uses low cost public communications networks. The combination of these factors has resulted in a system that can be easily comandeered and driven to fail.

Too much complexity. The push to maximize the utilization of existing infrastructure to meet rapidly growing demand and the increasing use of power system integration to share resources has radically increased the complexity of the power network. This complexity has made it extremely difficult to exercise rational control over the network when faced with disruption. Further, the complexity of the network itself can lead to large scale disruptions when faced with perturbations.

The result of these factors leaves us with a power system that is ripe for exploitation. The result of an attack of this type would be catastrophic to our economy. To mitigate these dangers, the power industry recommends the following changes should be made to our power grid:

Wide area sensing and control. A new sensor infrastucture that greatly improves the quality and timeliness of data from the network must be built. Addtionally, a new command system should be installed that allow more robust vulnerability assessment and failure analysis for operators.

Intelligent adaptive islanding. A major area of vulnerability for the current US system is its interdependence. A failure in one area can spill over into other areas due to tight coupling. A system that enables local problems to remain local is needed.

Adaptive self healing. The most ambitious proposal is to build intelligence into the all aspects of the grid such that the system is able to heal itself when assaulted. Intelligence at the periphery mitigates the vulnerabilities of centralized control, reduces complexity (if designed right), and improves responsiveness.

The likelihood of these improvements to the power system being made are slim. They cost too much, particularly during a period of austerity. As terrorists increasingly move towards attacks on systems, the likely result will be:

Substantial economic damage. The US power system will likely suffer a major sustained outage due to terrorist assult in the next ten years. The resulting economic damage will be measured in the tens of billions. Multiple attacks could push this economic damage to a point or two of the US GNP (enough to qualify as a severe recession).

Increasing Self-reliance. US industries and individual home owners can mitigate losses by investing in local power infrastructure. Alternatives such as solar power become increasingly cost effective when potential disruptions to the grid are factored in.

Cascading system failures. The central role of the US power system to our computerized economy cannot be overstated. A disruption of the power grid will cause major failures in coupled networks. Addtional attacks on these ancillary networks would in turn slow repair efforts on the power grid and extend times of general failure.

Wednesday, 24 March 2004

Distributed, dynamic terrorist networks cannot scale like hierarchical networks. The same network design that makes them resiliant against attack puts absolute limits on their size. If so, what are those limits?

A good starting point is to look at limits to group size within peaceful online communities on which we have extensive data -- terrorist networks are essentially geographically dispersed online communities. Chris Allen does a good job analyzing optimal group size with his critique of the Dunbar number.

His analysis (replete with examples) shows that there is a gradual fall-off in effectiveness at 80 members, with an absolute fall-off at 150 members. The initial fall-off occurs, according to Chris, due to an increasing amount of effort spent on "grooming" the group to maintain cohesion. The absolute fall-off at 150 members occurs when grooming fails to stem dissatisfaction and dissension, which causes the group to cleave apart into smaller subgroups (that may remain affiliated).

Al Qaeda may have been able to grow much larger than this when it ran physical training camps in Afghanistan. Physical proximity allowed al Qaeda to operate as a hierarchy along military lines, complete with middle management (or at least a mix of a hierarchy in Afghanistan and a distributed network outside of Afghanistan). Once those camps were broken apart, the factors listed above were likely to have caused the fragmentation we see today (lots of references to this in the news).

This leads us to optimal group size, which according to Chris Allen's online group analysis, can be seen at two levels: both small and medium sized. Small, viable (in that they can be effective at tasks) groups (or cells) are optimized at 7-8 members. A lower boundary can be seen at 5 (with groups less than 5 not having sufficient resources to be effective) and an upper boundary at 9. Medium sized groups are optimal at 45-50 members, with a lower limit of 25 and an upper limit of 80. Between these levels is a chasm that must be surmounted with significant peril to the group. This is due to the need for groups above 9-10 members to have some level of specialization by function. This specialization requires too much management oversight to be effective given the limited number of participants in each function. At 25 members, the group gains positive returns on specialization given the management effort applied (a break-even point).

This chasm (between 9-25 members) nicely matches the problem period in the development of terrorist and guerrilla networks that studies of guerrilla groups refer to. The amount of damage a small (7-8 member) group can do is limited to narrow geographies and therefore does not represent a major threat. Once a network grows to 45-50 members, they can mount large attacks across multiple geographies. They are also very difficult to eliminate due to geographically dispersion of cells. However, during the transition to a larger group they are vulnerable to disruption. This vulnerability necessitates fast counter-terrorist action (this gives credibility to the military strategists who claim we didn't have enough troops in Iraq immediately after the war, nor were we quick enough to establish martial law) during that short period of time a network is transitioning in size.

This size dynamic can also be seen in criminal organizations. The mafia (BBC), despite their widespread influence, has closely mirrored the limits on group size:

The Genoveses are the largest of the five families in New York and they recruited nine new foot soldiers, bring their total to 152.

The Gambinos, had a terrible year from 2000-2001, losing 33 members, but they still managed to retain 130, making them the second largest in terms of manpower.

Meanwhile the Luccheses have initiated three more gangsters, lifting them to third place with a total of 113 hoods on the streets, according to FBI reports.

Dempsey said he estimated there were only about 100 "foreign terrorists" in Baghdad, organized into about six cells. In Anbar province, which stretches across western Iraq and includes the strife-torn cities of Ramadi and Fallujah, Maj. Gen. Charles H. Swannack Jr. of the 82nd Airborne Division said he believed there were a total of 50 to 80 foreign fighters in eight to 10 cells.

This indicates a cell size (the optimal size of the smallest viable network) of between 5-12 members.

Note: The limits on organizational size does not mean that terrorist or crime organizations can't expand their ranks on a temporary basis. There are plenty of "contract" employees available. Also, there is also the potential for intergroup cooperation (we see this in both crime and terrorism).

Tuesday, 23 March 2004

What would be the economic impact of a terrorist attack on critical infrastructure? A good measure to use is the 2003 northeastern blackout. Anderson consulting ("Northeast Blackout to reduce US earning $6.4 billion") did a relatively thorough study of the impact. Here are the highlights:

Lost income to workers and profit reductions of companies: $3.12 to $5.2 billion.

Spoilage (food, etc.): $380 to $940 million.

Additional police and emergency services: $15 to $100 million.

Higher utility rates (for repairs and overtime): $1 to $2 billion.

The total economic impact estimated by Anderson ranges between $4.51 and $8.24 billion.

Other economic impacts (to put this blackout in perspective):

The 2002 Port shutdown: $1.67 billion

The 1998 GM strike: $2.7 billion

One interesting factoid: The blackout occured on a Thursday afternoon. If it had occured on a Monday or a Tuesday, lost production would have been double.

This estimate provides a good starting point for further analysis. Specifically, areas I have focused on (in my upcoming book) are:

On Brave New War

G. Gordon Liddy Show (radio)...this is a seminal book in the truest sense of the term.. way ahead of the curve... go out and buy it right now -- G. Gordon Liddy

City JournalRobb has written an important book that every policymaker should read -- Glenn Reynolds (Instapundit)

Small Wars JournalWithout reservation Brave New War is for professional students of irregular warfare and for any citizen who wants to understand emerging trends and the dark potential of 4GW -- Frank Hoffman

Scripps Howard News ServiceA brilliant new book published by terrorism expert John Robb, titled "Brave New War," hit stores last month with virtually no fanfare. It deserves both significant attention and vigorous debate... - Thomas P.M. Barnett

Chet Richards DNIJohn has produced an important book that should help jar the United States and other legacy states out of their Cold War mindset. You can read it in a couple of hours – so you should read it twice...

Washington Times / UPIRobb correctly finds the antidote to 4GW not in Soviet-style state structures such as the Department of Homeland Security, but in decentralization -- William Lind (the father of 4th generation warfare).

Robert PatersonHaving painted a crystal clear picture of how a war of networks is playing out, he comes to an astonishing conclusion that I hope he fills out in his next book.

The Daily DishJohn Robb of Global Guerrillas has written the most important book of the year, Brave New War. - Daily Dish (The Atlantic)

Simulated LaughterWell-written. Brave New War reads more like an action novel than a ponderous policy book. - Adam Elkus

FutureJackedGo buy a copy of this book. Now. If you are low on cash, skip a few lunches and save up the cash. It is worth it. - Michael Flagg

ZenPunditThe second audience is composed of everyone else. Brave New War is simply going to blow them away. - Mark Safranski

Haft of the SpearThere aren’t a lot of books that make me recall a 12-year-old self aching for the next issue of The Invincible Iron Man to hit the shelves. Well done.
- Michael Tanji

Ed ConeHis book posits an Army of Davids -- with the traditional nation state in the role of Goliath. - Ed Cone (Ziff Davis)

Shloky.comThis is the first real text on next generation warfare designed for the general population and it sets the bar high for following acts. It is smart, it is a short read, and it will change your thinking. - Shlok Vaidya

Politics in the ZerosI suggest this is something Lefties need to start thinking about now, as that decentralized world is coming. - Bob Morris